Microsoft is investigating reports of a flaw that could allow someone to remotely execute code on a system running certain versions of SQL Server.
"Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory," the company wrote in a security advisory published on Monday. "Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time."
Affected systems are: Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected, the advisory says.
Microsoft said that once it completes its investigation, it will "take the appropriate action to protect our customers," which could include issuing a security patch through a service pack, in the monthly security update, or via an out-of-cycle security update.
The vulnerability was disclosed December 4 by Bernhard Mueller of SEC Consult Vulnerability Lab.